Linux and Nagios

Let's say you've identified a dependency that is needed on your machine, but you don't know what package will provide the required file, you can use the "yum search <name> | grep <more granular name>" to narrow it down, but to see inside the package before install you can run the below, in my example I was looking for what provided the "gettext.pm" file, the package "perl-gettext" looked like it might, to be sure I ran:

In a continued bid to build a desktop Linux machine, I was working on getting the three monitors working. One of the monitors uses the onboard graphics, the other two are plugged into a PCI-E riser card. The issue was that the monitor type is not detected by the onboard graphics, so reports the incorrect resolution back. Changing this was proving very difficult. I'm using GNOME on Centos 7 desktop.

Now I ran an: xrandr to get the list of all the monitor/adapter names. In my case these were VGA-1-1 (the unknown display, on the motherboard graphics), VGA-2 and DVI-I-1 (the latter two were on the riser PCI-E card).

Finally I created a file called: /etc/X11/xorg.conf.d/10-monitor.conf and adding the following contents:

Whilst building a new home machine I came across this issue where the third screen in my three screen setup was only seen as an "Unknown Display". My machine has an on-board graphics card and a 2 port PCI-E riser graphics card, the monitors connected to the 2 port riser were working correctly, and the OS saw them as the LG Monitors, the third was showing as "Unknown Display". The problem this caused was that the screen's resolution should be 1440x900@60Hz, but the unknown display was only giving me the option of 1024x768@60 or lower.

So to fix I used xrandr to set the monitor to a resolution I know it supported as follows:

First run cvt to generate a mode, where the 1440 is the Width, 900 the Height and 60 the frequency.

In my case it was VGA-1-1, so now I have this information I can apply the new mode to the monitor as follows:

# xrandr --addmode VGA-1-1 1440x900_60.00

Now if you go into the "Settings" and "Display" and click on the unknown monitor you'll notice a new resolution available from the drop down. Select it and click on "Apply" and hey presto, your monitor should now be showing the correct resolution.

The only issue is that the next time you reboot, the changes will be gone. To resolve this create a file called .xprofile in your home directory and add the following contents all on a single line:

If you need to SSH to a host but don't have direct SSH access, you can perform a reverse SSH tunnel. For this you need a host that will except inbound connections to work as a "jump host", it is possible without it, where you could SSH back to your client computer; however for the purposes of this example the setup is as follows:

1. TARGETSRV - Target host you want to connect to, you will start the SSH reverse tunnel from here.

2. JUMPHOST - The host you'll be connecting the reverse tunnel to from the TARGETSRV.

3. CLIENT - Your client computer that you'll be SSHing from to the JUMPHOST.

The first step is to start the SSH reverse tunnel from the TARGETSRV. Here we are creating a tunnel from port 22 on the TARGETSRV to port 19999 on the JUMPHOST over port 22 SSH.

# ssh -p 22 -R 19999:localhost:22 JUMPHOST -l <user>

Now SSH to the JUMPHOST from CLIENT and run the following command:

ssh -p 19999 127.0.0.1 -l <user>

Now you will have connected to the TARGETSRV down the reverse tunnel.Especially useful if your target host is behind a firewall where direct access is not possible.

additional info: TLS error -8172:Peer's certificate issuer has been marked as not trusted by the user.

Could not bind to the LDAP server

The check_ldap plugin makes use of OpenLDAP, the OpenLDAP package is installed as part of the NagiosXI installation because the plugins have dependencies on it but it is left in a non-configured state.

To resolve the problem on each node (wtgc-nagios-01 and wtgc-nagios-02) the following is required, firstly edit the file: /etc/openldap/ldap.confand at the bottom of the file add the following line:

So looking for something to use your Raspberry Pi for? I had a Mk1 Raspberry Pi laying around and thought it might be good to set it up as a SSH gateway, so I could easily and securely access my home machines when out and about.

These instructions assume you have a Raspberry Pi which has Raspbian Jessie installed, i'm assuming you've also enabled SSH and have a named account created which you have already used to SSH to the Raspberry Pi over your network.

These instructions also get you to set SSH onto a non-standard port, setup two factor authentication using Google's authenticator and setup Fail2Ban to ensure hacking attempts can be blocked somewhat.

Assuming you've done this, you are ready to start, note you should make sure you run an apt-get update and apt-get upgrade to ensure that you are running the latest security updates.

SSH and Google Authenticator Configuration

1. Lets firstly disable root login via SSH.

sudo nano /etc/ssh/sshd_config

Changing the line PermitRootLoginto no.

2. Now within the same file change the port number from 22 to something non-standard like 2222 for example. Do this by changing the line Port 22 to read Port 2222.

3. At this point you should reboot the Raspberry Pi, then attempt to login on port 2222, don't go any further until you have got this working.

4. Now we need to install the Google Authenticator package.

# sudo apt-get install libpam-google-authenticator

5. Once installed you will then need to run the google authenticator, ensure you are logged in as the user you will be SSHing onto the box with to ensure you setup the authenticator configuration into your user's home area.

# google-authenticator

Answer yes to all the prompts in the wizard, you should also make a note of the scratch codes just in case you need them in future.

6. At the end you'll see a QR code, now you need to get out your smart phone and install the Google Authenticator App from your devices Application Store.

7. Now scan in the QR code using the App or enter the code manually. When done, your phone and your Raspberry Pi will be paired via the Google Authenticator to trust each other for authentication.

8. Finally we need to set SSH to use the google Authenticator as part of the authentication process, so you'll need to enter your username/password followed by the code generated by your phone to be able to logon.

9. Open the/etc/pam.d/sshd file with sudo nano /etc/pam.d/sshd add the following line to the end file:

auth required pam_google_authenticator.so

10. Next open /etc/ssh/sshd_config then locate the ChallengeResponseAuthentication line (normally set to "no") and then set it to "yes".

11. Finally restart the SSH server.# sudo /etc/init.d/sshd restart

Do not close the active ssh window you are working in. If something went
wrong then you can quick debug it. Open a new ssh window instead and you should be prompted for a password followed by the code, all being well you should login fine!

Common Issue: Check that your timezone and time are set correctly on the Raspberry Pi, if they are not you will find your connection attempts will be rejected.

Also here you'll need to have punched a hole through your firewall on port 2222/TCP to the IP address of your Raspberry Pi, if you want to access it externally.

Fail2Ban Install and Configuration

We will now install Fail2Ban, and configure it to check on port 2222/TCP which we are now using for SSH, if more than two password failures are created, the IP address will be added to the block list permanently. The configuration for different services can be found in /etc/fail2ban/jail.conf. The default configuration only monitors SSH and bans the suspicious IP after 6 unsuccessful attempts for 600 seconds.

1. Firstly install fail2ban with

# apt-get install fail2ban

2. Then you need to edit the file /etc/fail2ban/jail.local, you may need to create it if you do not yet have it.

# vi /etc/fail2ban/jail.local

3. Once you are editing the file add the following:

[ssh]
banaction = iptables-allports
bantime = -1
maxretry = 2

This will block all IP traffic from a host forever if they get two failed connection attempts.

Then edit the file: /etc/fail2ban/jail.conf, and then add the following:

These settings mean that any banned IP address is added to the /etc/fail2ban/ip.list file and after restart of the Pi they are readded to the iptables firewall. Note this blocks the whole /24 subnet, you can omit this from the echo command above if you just want to block on an IP by IP basis.

Restart the fail2ban service:

# sudo service fail2ban restart

Overtime you'll see some IPs that are permanently banned. Check in iptables for the firewall block rules with: